security: Introduce functions for input device hot(un)plug

Export the existing DAC and SELinux for separate use and introduce
functions for stack, nop and the security manager.
This commit is contained in:
Ján Tomko 2017-11-21 13:31:53 +01:00
parent cbf4242db7
commit d8116b5a0a
8 changed files with 110 additions and 0 deletions

View File

@ -1276,6 +1276,7 @@ virSecurityManagerRestoreAllLabel;
virSecurityManagerRestoreDiskLabel; virSecurityManagerRestoreDiskLabel;
virSecurityManagerRestoreHostdevLabel; virSecurityManagerRestoreHostdevLabel;
virSecurityManagerRestoreImageLabel; virSecurityManagerRestoreImageLabel;
virSecurityManagerRestoreInputLabel;
virSecurityManagerRestoreMemoryLabel; virSecurityManagerRestoreMemoryLabel;
virSecurityManagerRestoreSavedStateLabel; virSecurityManagerRestoreSavedStateLabel;
virSecurityManagerSetAllLabel; virSecurityManagerSetAllLabel;
@ -1285,6 +1286,7 @@ virSecurityManagerSetDiskLabel;
virSecurityManagerSetHostdevLabel; virSecurityManagerSetHostdevLabel;
virSecurityManagerSetImageFDLabel; virSecurityManagerSetImageFDLabel;
virSecurityManagerSetImageLabel; virSecurityManagerSetImageLabel;
virSecurityManagerSetInputLabel;
virSecurityManagerSetMemoryLabel; virSecurityManagerSetMemoryLabel;
virSecurityManagerSetProcessLabel; virSecurityManagerSetProcessLabel;
virSecurityManagerSetSavedStateLabel; virSecurityManagerSetSavedStateLabel;

View File

@ -2123,6 +2123,9 @@ virSecurityDriver virSecurityDriverDAC = {
.domainSetSecurityMemoryLabel = virSecurityDACSetMemoryLabel, .domainSetSecurityMemoryLabel = virSecurityDACSetMemoryLabel,
.domainRestoreSecurityMemoryLabel = virSecurityDACRestoreMemoryLabel, .domainRestoreSecurityMemoryLabel = virSecurityDACRestoreMemoryLabel,
.domainSetSecurityInputLabel = virSecurityDACSetInputLabel,
.domainRestoreSecurityInputLabel = virSecurityDACRestoreInputLabel,
.domainSetSecurityDaemonSocketLabel = virSecurityDACSetDaemonSocketLabel, .domainSetSecurityDaemonSocketLabel = virSecurityDACSetDaemonSocketLabel,
.domainSetSecuritySocketLabel = virSecurityDACSetSocketLabel, .domainSetSecuritySocketLabel = virSecurityDACSetSocketLabel,
.domainClearSecuritySocketLabel = virSecurityDACClearSocketLabel, .domainClearSecuritySocketLabel = virSecurityDACClearSocketLabel,

View File

@ -131,6 +131,12 @@ typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManagerPtr mgr,
typedef int (*virSecurityDomainRestoreMemoryLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainRestoreMemoryLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def, virDomainDefPtr def,
virDomainMemoryDefPtr mem); virDomainMemoryDefPtr mem);
typedef int (*virSecurityDomainSetInputLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainInputDefPtr input);
typedef int (*virSecurityDomainRestoreInputLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainInputDefPtr input);
typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def, virDomainDefPtr def,
const char *path); const char *path);
@ -163,6 +169,9 @@ struct _virSecurityDriver {
virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel; virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel;
virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel; virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel;
virSecurityDomainSetInputLabel domainSetSecurityInputLabel;
virSecurityDomainRestoreInputLabel domainRestoreSecurityInputLabel;
virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel; virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel; virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel; virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;

View File

@ -1116,3 +1116,39 @@ virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
virReportUnsupportedError(); virReportUnsupportedError();
return -1; return -1;
} }
int
virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virDomainInputDefPtr input)
{
if (mgr->drv->domainSetSecurityInputLabel) {
int ret;
virObjectLock(mgr);
ret = mgr->drv->domainSetSecurityInputLabel(mgr, vm, input);
virObjectUnlock(mgr);
return ret;
}
virReportUnsupportedError();
return -1;
}
int
virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virDomainInputDefPtr input)
{
if (mgr->drv->domainRestoreSecurityInputLabel) {
int ret;
virObjectLock(mgr);
ret = mgr->drv->domainRestoreSecurityInputLabel(mgr, vm, input);
virObjectUnlock(mgr);
return ret;
}
virReportUnsupportedError();
return -1;
}

View File

@ -172,6 +172,14 @@ int virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm, virDomainDefPtr vm,
virDomainMemoryDefPtr mem); virDomainMemoryDefPtr mem);
int virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virDomainInputDefPtr input);
int virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virDomainInputDefPtr input);
int virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr, int virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm, virDomainDefPtr vm,
const char *path); const char *path);

View File

@ -254,6 +254,14 @@ virSecurityDomainRestoreMemoryLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSE
return 0; return 0;
} }
static int
virSecurityDomainInputLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainInputDefPtr input ATTRIBUTE_UNUSED)
{
return 0;
}
virSecurityDriver virSecurityDriverNop = { virSecurityDriver virSecurityDriverNop = {
.privateDataLen = 0, .privateDataLen = 0,
@ -276,6 +284,9 @@ virSecurityDriver virSecurityDriverNop = {
.domainSetSecurityMemoryLabel = virSecurityDomainSetMemoryLabelNop, .domainSetSecurityMemoryLabel = virSecurityDomainSetMemoryLabelNop,
.domainRestoreSecurityMemoryLabel = virSecurityDomainRestoreMemoryLabelNop, .domainRestoreSecurityMemoryLabel = virSecurityDomainRestoreMemoryLabelNop,
.domainSetSecurityInputLabel = virSecurityDomainInputLabelNop,
.domainRestoreSecurityInputLabel = virSecurityDomainInputLabelNop,
.domainSetSecurityDaemonSocketLabel = virSecurityDomainSetDaemonSocketLabelNop, .domainSetSecurityDaemonSocketLabel = virSecurityDomainSetDaemonSocketLabelNop,
.domainSetSecuritySocketLabel = virSecurityDomainSetSocketLabelNop, .domainSetSecuritySocketLabel = virSecurityDomainSetSocketLabelNop,
.domainClearSecuritySocketLabel = virSecurityDomainClearSocketLabelNop, .domainClearSecuritySocketLabel = virSecurityDomainClearSocketLabelNop,

View File

@ -3064,6 +3064,9 @@ virSecurityDriver virSecurityDriverSELinux = {
.domainSetSecurityMemoryLabel = virSecuritySELinuxSetMemoryLabel, .domainSetSecurityMemoryLabel = virSecuritySELinuxSetMemoryLabel,
.domainRestoreSecurityMemoryLabel = virSecuritySELinuxRestoreMemoryLabel, .domainRestoreSecurityMemoryLabel = virSecuritySELinuxRestoreMemoryLabel,
.domainSetSecurityInputLabel = virSecuritySELinuxSetInputLabel,
.domainRestoreSecurityInputLabel = virSecuritySELinuxRestoreInputLabel,
.domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetDaemonSocketLabel, .domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetDaemonSocketLabel,
.domainSetSecuritySocketLabel = virSecuritySELinuxSetSocketLabel, .domainSetSecuritySocketLabel = virSecuritySELinuxSetSocketLabel,
.domainClearSecuritySocketLabel = virSecuritySELinuxClearSocketLabel, .domainClearSecuritySocketLabel = virSecuritySELinuxClearSocketLabel,

View File

@ -666,6 +666,41 @@ virSecurityStackRestoreMemoryLabel(virSecurityManagerPtr mgr,
return rc; return rc;
} }
static int
virSecurityStackSetInputLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virDomainInputDefPtr input)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
virSecurityStackItemPtr item = priv->itemsHead;
int rc = 0;
for (; item; item = item->next) {
if (virSecurityManagerSetInputLabel(item->securityManager, vm, input) < 0)
rc = -1;
}
return rc;
}
static int
virSecurityStackRestoreInputLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virDomainInputDefPtr input)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
virSecurityStackItemPtr item = priv->itemsHead;
int rc = 0;
for (; item; item = item->next) {
if (virSecurityManagerRestoreInputLabel(item->securityManager,
vm, input) < 0)
rc = -1;
}
return rc;
}
static int static int
virSecurityStackDomainSetPathLabel(virSecurityManagerPtr mgr, virSecurityStackDomainSetPathLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm, virDomainDefPtr vm,
@ -711,6 +746,9 @@ virSecurityDriver virSecurityDriverStack = {
.domainSetSecurityMemoryLabel = virSecurityStackSetMemoryLabel, .domainSetSecurityMemoryLabel = virSecurityStackSetMemoryLabel,
.domainRestoreSecurityMemoryLabel = virSecurityStackRestoreMemoryLabel, .domainRestoreSecurityMemoryLabel = virSecurityStackRestoreMemoryLabel,
.domainSetSecurityInputLabel = virSecurityStackSetInputLabel,
.domainRestoreSecurityInputLabel = virSecurityStackRestoreInputLabel,
.domainSetSecurityDaemonSocketLabel = virSecurityStackSetDaemonSocketLabel, .domainSetSecurityDaemonSocketLabel = virSecurityStackSetDaemonSocketLabel,
.domainSetSecuritySocketLabel = virSecurityStackSetSocketLabel, .domainSetSecuritySocketLabel = virSecurityStackSetSocketLabel,
.domainClearSecuritySocketLabel = virSecurityStackClearSocketLabel, .domainClearSecuritySocketLabel = virSecurityStackClearSocketLabel,